Platform capabilities
Four pillars of defence.
One attack-proven platform.
Defensive intelligence, active enforcement, behavioural scoring, and loop-validated remediation - unified, integrated, and built to make each pillar sharper because they share the same brain.
Pillar 1
Defensive intelligence
The foundation of proactive defence. Know your adversaries before they know your attack surface.
Risk scoring
Every record gets a composite risk score derived from abuse history, network reputation, behavioural patterns, and known attack campaigns. Scores update continuously as new intelligence arrives.
Geolocation & attribution
Precise geolocation across 230+ countries. ISP identification, ASN mapping, and hosting-provider attribution for every record in the database.
Behavioural analysis
Pattern recognition across 224M+ records identifies scanning behaviour, brute-force campaigns, credential stuffing, and coordinated attack infrastructure.
70+ public sources, plus our own
Continuously ingested from 70+ public threat- intelligence feeds and our own sensor network deployed on real infrastructure. Aggregated, deduplicated, and scored - no manual intervention.
Live sensor catches
Every attack against our own protected infrastructure becomes a labelled observation. New attackers are profiled and propagated in real time - the customers we defend make each other safer.
Domain & email intelligence
Typosquat and homoglyph detection, look-alike domains targeting your brand, and malicious-sender scoring against the same engine that powers IP scoring. Export to your SIEM or any log aggregator in standard formats.
Refresh as fast as the threat moves
Stale blocklists are worse than no blocklists. Panthero refreshes every record at the cadence its threat category deserves - from real-time profiling of brand-new attackers all the way to long-lived malicious networks revalidated up to every 30 days. No flat schedules. No blanket TTLs.
| Threat category | Refresh window |
|---|---|
| Live sensor catches (brand-new attackers) | Real-time |
| Active brute-force attackers (SSH, FTP, IMAP, mail, SIP) | Hourly |
| Web attackers and scanners | Every few hours |
| Anonymous infrastructure (Tor, proxies, VPNs) | Every few hours |
| Botnets, command-and-control, malware infrastructure | Daily |
| Spam and abuse sources | Daily |
| Long-lived malicious networks (hijacked netblocks) | Up to 30 days |
Pillar 2
Active defence
Block threats before they reach your application layer. The modern descendant of decades of battle-tested firewall scripts, packaged for the way you actually deploy software today.
django-panthero
A drop-in middleware for Django (and any Python framework that speaks WSGI or ASGI). Install with pip, add one line to your middleware list, and every request is verified against the full Panthero intelligence in real time.
panthero-agent (.deb)
A Debian package for any Linux server. Installs in seconds, enforces at the kernel layer with ipset, and reports back to your dashboard. Think fail2ban, but exponentially broader and continuously updated from our intelligence pipeline.
Real-time enforcement
Every request is checked against the live database before it touches your application. Verdicts in under one millisecond on the decision engine, with built-in caching for hot-path workloads.
Volumetric & layer-7 mitigation
DDoS floods, slow-loris, request floods, and protocol-abuse patterns detected at the edge. Automated mitigation triggers before your services feel the impact. Layer-7 attacks that bypass volumetric filters get caught here.
Granular allowlists & policies
Per-host IP and CIDR allowlists. Trusted partners, internal services, and known-good crawlers bypass threat checks without weakening your security posture. Set risk thresholds, rate limits, and monitor-only rollouts per host.
Traffic logging
Every check creates an auditable record. Full request metadata, the risk score that drove the decision, and the action taken - stored for compliance reporting and forensic analysis.
Pillar 3
Behavioural scoring
A production machine-learning model scores every source by what it is trying to do, not just where it comes from. Behavioural profiling that gets sharper with every observation.
In production since 2018
The first ML model was built in 2013, before Panthero existed. The current production model has been scoring traffic since 2018 - the same year Panthero launched. Continuously refined ever since.
Intent classification
Sources are profiled by behaviour - brute-forcer, scanner, spammer, scraper, exploit attempt, credential stuffer. Knowing the why drives smarter defaults than knowing only the where.
Continuous learning
Every blocked request from our sensor network becomes a labelled training example. The model gets sharper as the platform grows - and every customer benefits, on every plan, immediately.
Pillar 4 - available with The Loop
Validated by Keelr
This is what Attack-Proven Defence actually means. When Panthero runs inside The Loop, Keelr validates every fix by re-attacking. The Defensive Agent turns findings into remediations, stages them, and promotes only what survives adversarial re-testing - with a human approving the final step into production.
Finding ingest & triage
Every exploitable finding Keelr validates gets piped into Panthero with full context - target, exploit proof, severity on the shared 0-100 scale, and remediation hints. The Defensive Agent takes it from there.
Compensating defence
The moment Keelr proves a finding is exploitable, the Defensive Agent deploys perimeter-level blocks - path rules, signature matches, rate limits - at the edge. You are protected while the real fix is being written. Auto-retired when the real fix ships.
Agent-written remediation
For findings the rule-based template library covers, the Defensive Agent instantiates the fix. For findings it does not cover, the Agent writes the remediation code as a versioned, signed Code Artifact you can read line by line in the portal.
Staging deployment
Fixes deploy autonomously to your pre-production environment through the surface you already run - django-panthero, panthero-agent, nginx, or Apache. No new infrastructure to adopt.
Re-attack validation
Keelr reruns the exact exploit path against staging after the fix lands. If the path is closed, the fix is confirmed. If not, the Agent iterates. Attack- Proven Defence means proven, not hoped for.
Human-gated prod promotion
The autonomous loop stops at production. A human on your team reviews the confirmed fix and approves the push. Your change-control posture stays intact - even as the discovery and validation work runs without you.
Operational visibility
Know what you cannot block
Not every incident is an attacker. Some are outages, routing issues, or quiet regressions. Panthero surfaces infrastructure health alongside defence so the same dashboard covers both fronts.
Heartbeats & probes
Configurable health checks at intervals from 30 seconds to 30 minutes. HTTP, HTTPS, TCP, and ICMP probes with customisable expected responses and timeout thresholds. Multi-location probes on Business and above.
Instant alerts
Downtime notifications via email, Slack, and webhooks. Configurable escalation policies with retry logic that eliminates false positives before alerting your team.
Status pages
Public and private status pages for your services. Communicate uptime to your customers with branded, real-time dashboards powered by your monitoring data. White-label on Enterprise.
API & delivery
One API. Every pillar.
Production-grade API designed for high-throughput workloads. Secure by default, fast by design - and the same API powers every pillar above.
HMAC authentication
Request-level authentication using HMAC-SHA256 signatures. Every API call is cryptographically verified - no bearer tokens to leak, no sessions to hijack.
Sub-millisecond decisions
Verdicts in under one millisecond on the decision engine. End-to-end latency depends on your network path to our EU regions, but the engine itself never gets in your way.
Stateless sessions
Short-lived JWT tokens for session management with automatic refresh. Scales horizontally without session store dependencies.
Technical specifications
| Protocol | HTTPS (TLS 1.3) |
| Authentication | HMAC-SHA256 + JWT |
| Response format | JSON |
| Rate limiting | Per-host configurable |
| Decision engine | < 1ms |
| Hosting regions | Across Europe |
| Compliance | GDPR, NIS2-aligned |
| Threat records | 224M+ |
Ready to run the loop?
Start with Pay-as-you-go on Panthero alone, or jump straight to The Loop for Attack-Proven Defence. Founding-customer pricing through 14 July 2026.